.TH CONNTRACK 8 "Aug 9, 2019" "" ""

.\" Man page written by Harald Welte <laforge@netfilter.org (Jun 2005)
.\" Maintained by Pablo Neira Ayuso <pablo@netfilter.org (May 2007)

.SH NAME
conntrack \- command line interface for netfilter connection tracking
.SH SYNOPSIS
.BR "conntrack -L [table] [options] [-z]"
.br
.BR "conntrack -G [table] parameters"
.br
.BR "conntrack -D [table] parameters"
.br
.BR "conntrack -I [table] parameters"
.br
.BR "conntrack -A [table] parameters"
.br
.BR "conntrack -U [table] parameters"
.br
.BR "conntrack -E [table] [options]"
.br
.BR "conntrack -F [table]"
.br
.BR "conntrack -C [table]"
.br
.BR "conntrack -S "
.br
.BR "conntrack -R file"
.SH DESCRIPTION
The \fBconntrack\fP utility provides a full\-featured userspace interface to the
Netfilter connection tracking system that is intended to replace the old
/proc/net/ip_conntrack interface. This tool can be used to search, list,
inspect and maintain the connection tracking subsystem of the Linux kernel.

Using \fBconntrack\fP, you can dump a list of all (or a filtered selection of)
currently tracked connections, delete connections from the state table, and
even add new ones.

In addition, you can also monitor connection tracking events, e.g. show an
event message (one line) per newly established connection.

.SH TABLES
The connection tracking subsystem maintains several internal tables:
.TP
.BR "conntrack" :
This is the default table.  It contains a list of all currently tracked
connections through the system.  If you don't use connection tracking
exemptions (NOTRACK iptables target), this means all connections that go
through the system.
.TP
.BR "expect" :
This is the table of expectations.  Connection tracking expectations are the
mechanism used to "expect" \fBRELATED\fP connections to existing ones.
Expectations are generally used by "connection tracking helpers" (sometimes
called application level gateways [ALGs]) for more complex protocols such as
FTP, SIP or H.323.
.TP
.BR "dying" :
This table shows the conntrack entries, that have expired and that have been
destroyed by the connection tracking system itself, or via the \fBconntrack\fP
utility.
.TP
.BR "unconfirmed" :
This table shows new entries, that are not yet inserted into the conntrack
table. These entries are attached to packets that are traversing the stack,
but did not reach the confirmation point at the postrouting hook.

The tables "dying" and "unconfirmed" are basically only useful for debugging
purposes. Under normal operation, it is hard to see entries in any of them.
There are corner cases, where it is valid to see entries in the
unconfirmed table, eg. when packets that are enqueued via nfqueue, and
the dying table, eg. when \fBconntrackd(8)\fP runs in event reliable mode.

.SH OPTIONS
The options recognized by \fBconntrack\fP can be divided into several different
groups.

.SS COMMANDS
These options specify the particular operation to perform.  Only one of them
can be specified at any given time.
.TP
.BI "-L --dump "
List connection tracking or expectation table
.TP
.BI "-G, --get "
Search for and show a particular (matching) entry in the given table.
.TP
.BI "-D, --delete "
Delete an entry from the given table.
.TP
.BI "-I, --create "
Create a new entry from the given table, it fails if it already exists.
.TP
.BI "-A, --add "
Add a new entry from the given table.
.TP
.BI "-U, --update "
Update an entry from the given table.
.TP
.BI "-E, --event "
Display a real-time event log.
.TP
.BI "-F, --flush "
Flush the whole given table
.TP
.BI "-C, --count "
Show the table counter.
.TP
.BI "-S, --stats "
Show the in-kernel connection tracking system statistics.
.TP
.BI "-R, --load-file "
Load entries from a given file. To read from stdin, "\-" should be specified.

.SS PARAMETERS
.TP
.BI "-z, --zero "
Atomically zero counters after reading them.  This option is only valid in
combination with the "\-L, \-\-dump" command options.
.TP
.BI "-o, --output [extended,xml,save,timestamp,id,ktimestamp,labels] "
Display output in a certain format. With the extended output option, this tool
displays the layer 3 information. With ktimestamp, it displays the in-kernel
timestamp available since 2.6.38 (you can enable it via the \fBsysctl(8)\fP
key \fBnet.netfilter.nf_conntrack_timestamp\fP).
The labels output option tells \fBconntrack\fP to show the names of connection
tracking labels that might be present.
The userspace output option tells if the event has been triggered by a process.
.TP
.BI "-e, --event-mask " "[ALL|NEW|UPDATES|DESTROY][,...]"
Set the bitmask of events that are to be generated by the in-kernel ctnetlink
event code.  Using this parameter, you can reduce the event messages generated
by the kernel to the types that you are actually interested in.
.
This option can only be used in conjunction with "\-E, \-\-event".
.TP
.BI "-b, --buffer-size " "value"
Set the Netlink socket buffer size in bytes. This option is useful if the
command line tool reports ENOBUFS errors. If you do not pass this option, the
default value available at \fBsysctl(8)\fP key \fBnet.core.rmem_default\fP is
used. The tool reports this problem if your process is too slow to handle all
the event messages or, in other words, if the amount of events is big enough
to overrun the socket buffer. Note that using a big buffer reduces the chances
to hit ENOBUFS, however, this results in more memory consumption.
.
This option can only be used in conjunction with "\-E, \-\-event".

.SS FILTER PARAMETERS
.TP
.BI "-s, --src, --orig-src " IP_ADDRESS
Match only entries whose source address in the original direction equals the
one specified as argument. Implies "--mask-src" when CIDR notation is used.
.TP
.BI "-d, --dst, --orig-dst " IP_ADDRESS
Match only entries whose destination address in the original direction equals
the one specified as argument. Implies "--mask-dst" when CIDR notation is used.
.TP
.BI "-r, --reply-src " IP_ADDRESS
Match only entries whose source address in the reply direction equals the one
specified as argument.
.TP
.BI "-q, --reply-dst " IP_ADDRESS
Match only entries whose destination address in the reply direction equals the
one specified as argument.
.TP
.BI "-p, --proto " "PROTO "
Specify layer four (TCP, UDP, ...) protocol.
.TP
.BI "-f, --family " "PROTO"
Specify layer three (ipv4, ipv6) protocol.
This option is only required in conjunction with "\-L, \-\-dump". If this
option is not passed, the default layer 3 protocol will be IPv4.
.TP
.BI "-t, --timeout " "TIMEOUT"
Specify the timeout.
.TP
.BI "-m, --mark " "MARK[/MASK]"
Specify the conntrack mark.  Optionally, a mask value can be specified.
In "\-\-update" mode, this mask specifies the bits that should be zeroed before
XORing the MARK value into the ctmark.
Otherwise, the mask is logically ANDed with the existing mark before the
comparison. In "\-\-create" mode, the mask is ignored.
.TP
.BI "-l, --label " "LABEL"
Specify a conntrack label.
This option is only available in conjunction with "\-L, \-\-dump",
"\-E, \-\-event", "\-U \-\-update" or "\-D \-\-delete".
Match entries whose labels include those specified as arguments.
Use multiple \-l options to specify multiple labels that need to be set.
.TP
.BI "--label-add " "LABEL"
Specify the conntrack label to add to the selected conntracks.
This option is only available in conjunction with "\-I, \-\-create",
"\-A, \-\-add" or "\-U, \-\-update".
As a rule of thumb, you must use either the 'connlabel' match in your iptables
ruleset or the 'ct label' statement in your nftables ruleset, this turns on the
ct label support in the kernel and it allows you to update labels via
"\-U, \-\-update", otherwise label updates are ignored.
.TP
.BI "--label-del " "[LABEL]"
Specify the conntrack label to delete from the selected conntracks.
If no label is given, all labels are deleted.
This option is only available in conjunction with "\-U, \-\-update".
.TP
.BI "-c, --secmark " "SECMARK"
Specify the conntrack selinux security mark.
.TP
.BI "-u, --status " "[ASSURED|SEEN_REPLY|FIXED_TIMEOUT|EXPECTED|OFFLOAD|UNSET][,...]"
Specify the conntrack status.
.TP
.BI "-n, --src-nat "
Filter source NAT connections.
.TP
.BI "-g, --dst-nat "
Filter destination NAT connections.
.TP
.BI "-j, --any-nat "
Filter any NAT connections.
.TP
.BI "-w, --zone "
Filter by conntrack zone. See iptables CT target for more information.
.TP
.BI "--orig-zone "
Filter by conntrack zone in original direction.
See iptables CT target for more information.
.TP
.BI "--reply-zone "
Filter by conntrack zone in reply direction.
See iptables CT target for more information.
.TP
.BI "--tuple-src " IP_ADDRESS
Specify the tuple source address of an expectation.
Implies "--mask-src" when CIDR notation is used.
.TP
.BI "--tuple-dst " IP_ADDRESS
Specify the tuple destination address of an expectation.
Implies "--mask-dst" when CIDR notation is used.
.TP
.BI "--mask-src " IP_ADDRESS
Specify the source address mask.
For conntracks this option is only available in conjunction with
"\-L, \-\-dump", "\-E, \-\-event", "\-U \-\-update" or "\-D \-\-delete".
For expectations this option is only available in conjunction with
"\-I, \-\-create".
.TP
.BI "--mask-dst " IP_ADDRESS
Specify the destination address mask.
Same limitations as for "--mask-src".

.SS PROTOCOL FILTER PARAMETERS
.TP
TCP-specific fields:
.TP
.BI "--sport, --orig-port-src " "PORT"
Source port in original direction
.TP
.BI "--dport, --orig-port-dst " "PORT"
Destination port in original direction
.TP
.BI "--reply-port-src " "PORT"
Source port in reply direction
.TP
.BI "--reply-port-dst " "PORT"
Destination port in reply direction
.TP
.BI "--state " "state"
TCP state, one of NONE, SYN_SENT, SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT,
LAST_ACK, TIME_WAIT, CLOSE or LISTEN.

.TP
UDP-specific fields:
.TP
.BI "--sport, --orig-port-src " "PORT"
Source port in original direction
.TP
.BI "--dport, --orig-port-dst " "PORT"
Destination port in original direction
.TP
.BI "--reply-port-src " "PORT"
Source port in reply direction
.TP
.BI "--reply-port-dst " "PORT"
Destination port in reply direction

.TP
ICMP-specific fields:
.TP
.BI "--icmp-type " "TYPE"
ICMP Type. Has to be specified numerically.
.TP
.BI "--icmp-code " "CODE"
ICMP Code. Has to be specified numerically.
.TP
.BI "--icmp-id " "ID"
ICMP Id. Has to be specified numerically (non-mandatory)

.TP
UDPlite-specific fields:
.TP
.BI "--sport, --orig-port-src " "PORT"
Source port in original direction
.TP
.BI "--dport, --orig-port-dst " "PORT"
Destination port in original direction
.TP
.BI "--reply-port-src " "PORT"
Source port in reply direction
.TP
.BI "--reply-port-dst " "PORT"
Destination port in reply direction

.TP
SCTP-specific fields:
.TP
.BI "--sport, --orig-port-src " "PORT"
Source port in original direction
.TP
.BI "--dport, --orig-port-dst " "PORT"
Destination port in original direction
.TP
.BI "--reply-port-src " "PORT"
Source port in reply direction
.TP
.BI "--reply-port-dst " "PORT"
Destination port in reply direction
.TP
.BI "--state " "state"
SCTP state, one of NONE, CLOSED, COOKIE_WAIT, COOKIE_ECHOED, ESTABLISHED,
SHUTDOWN_SENT, SHUTDOWN_RECD, SHUTDOWN_ACK_SENT.
.TP
.BI "--orig-vtag " "value"
Verification tag (32-bits value) in the original direction
.TP
.BI "--reply-vtag " "value"
Verification tag (32-bits value) in the reply direction

.TP
DCCP-specific fields (needs Linux >= 2.6.30):
.TP
.BI "--sport, --orig-port-src " "PORT"
Source port in original direction
.TP
.BI "--dport, --orig-port-dst " "PORT"
Destination port in original direction
.TP
.BI "--reply-port-src " "PORT"
Source port in reply direction
.TP
.BI "--reply-port-dst " "PORT"
Destination port in reply direction
.TP
.BI "--state " "state"
DCCP state, one of NONE, REQUEST, RESPOND, PARTOPEN, OPEN, CLOSEREQ, CLOSING,
TIMEWAIT.
.TP
.BI "--role " "[client|server]"
Role that the original conntrack tuple is tracking

.TP
GRE-specific fields:
.TP
.BI "--srckey, --orig-key-src " "KEY"
Source key in original direction (in hexadecimal or decimal)
.TP
.BI "--dstkey, --orig-key-dst " "KEY"
Destination key in original direction (in hexadecimal or decimal)
.TP
.BI "--reply-key-src " "KEY"
Source key in reply direction (in hexadecimal or decimal)
.TP
.BI "--reply-key-dst " "KEY"
Destination key in reply direction (in hexadecimal or decimal)

.SH DIAGNOSTICS
The exit code is 0 for correct function.  Errors which appear to be caused by
invalid command line parameters cause an exit code of 2.  Any other errors
cause an exit code of 1.

.SH EXAMPLES
.TP
.B conntrack \-L
Show the connection tracking table in /proc/net/ip_conntrack format
.TP
.B conntrack \-L -o extended
Show the connection tracking table in /proc/net/nf_conntrack format, with
additional information.
.TP
.B conntrack \-L \-o xml
Show the connection tracking table in XML
.TP
.B conntrack \-L \-o save
Show the connection tracking table in conntrack syntax format
.TP
.B conntrack \-L -f ipv6 -o extended
Only dump IPv6 connections in /proc/net/nf_conntrack format, with
additional information.
.TP
.B conntrack \-L --src-nat
Show source NAT connections
.TP
.B conntrack \-E \-o timestamp
Show connection events together with the timestamp
.TP
.B conntrack \-D \-s 1.2.3.4
Delete all flows whose source address is 1.2.3.4
.TP
.B conntrack \-U \-s 1.2.3.4 \-m 1
Set connmark to 1 of all the flows whose source address is 1.2.3.4
.TP
.B conntrack -L -w 11 -o save | sed "s/-w 11/-w 12/g" | conntrack --load-file -
Copy all entries from ct zone 11 to ct zone 12

.SH BUGS
Please, report them to netfilter-devel@vger.kernel.org or file a bug in
Netfilter's bugzilla (https://bugzilla.netfilter.org).

.SH SEE ALSO
.BR nftables (8), iptables (8), conntrackd(8)
.br
See
.BR "http://conntrack-tools.netfilter.org"

.SH AUTHORS
Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira Ayuso wrote the
kernel-level "ctnetlink" interface that is used by the conntrack tool.
.PP
Pablo Neira Ayuso wrote and maintains the conntrack tool, Harald Welte added
support for conntrack\-based accounting counters.
.PP
Man page written by Harald Welte <laforge@netfilter.org> and
Pablo Neira Ayuso <pablo@netfilter.org>.
